implemented functioning oauth2-proxy

2025-02-22 20:39:40 +01:00 · 2025-01-26 15:15:23 +01:00 · 2025-01-26 15:15:23 +01:00 · c35eb10343
commit c35eb10343
parent 7b9959af21
7 changed files with 66 additions and 20 deletions
--- a/roles/docker-oauth2-proxy/tasks/main.yml
+++ b/roles/docker-oauth2-proxy/tasks/main.yml
@ -0,0 +1,6 @@
+- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}"
+  copy:
+    src: oauth2-proxy-keycloak.cfg.j2
+    dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg"
+#  notify:
+#    - docker compose project setup
--- a/roles/docker-oauth2-proxy/templates/container.yml.j2
+++ b/roles/docker-oauth2-proxy/templates/container.yml.j2
@ -0,0 +1,24 @@
+  oauth2-proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.1
+    #image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
+    restart: {{docker_restart_policy}}
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    #environment:
+    #  OAUTH2_PROXY_PROVIDER:      "keycloak"                        # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub).
+    #  OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world"
+    #  OAUTH2_PROXY_CLIENT_ID:     "{{domain}}"                      # The client ID configured in Keycloak for the application.
+    #  OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}"  # The client secret configured in Keycloak for the application.
+    #  OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}"  # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`.
+    #  #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}"              # The allowed email domain(s) for authentication. Example: "example.com".
+    #  OAUTH2_PROXY_REDIRECT_URL:  "{{oauth2_proxy_redirect_url}}"   # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
+    #  OAUTH2_PROXY_UPSTREAMS:     "http://127.0.0.1:{{http_port}}"  # The internal upstream service (your application) that OAuth2-Proxy protects.
+    ports:
+    #  - "127.0.0.1:{{oauth2_proxy_port}}:4180"
+      - 4180:4180/tcp
+    volumes:
+      - "./oauth2-proxy-keycloak.cfg:/oauth2-proxy.cfg"
+{% include 'templates/docker/container/networks.yml.j2' %}
+#      keycloak: {}
+#      httpbin: {}
+#      oauth2-proxy: {}
--- a/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+++ b/roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
@ -0,0 +1,18 @@
+http_address="0.0.0.0:4180"
+cookie_secret="{{oauth2_proxy_cookie_secret}}"
+email_domains="{{primary_domain}}"
+cookie_secure="false"
+upstreams="http://proxy:80"
+cookie_domains=["{{domain}}", "{{domain_keycloak}}"]    # Required so cookie can be read on all subdomains.
+whitelist_domains=[".{{primary_domain}}"]               # Required to allow redirection back to original requested target.
+
+# keycloak provider
+client_secret="{{oauth2_proxy_client_secret}}"
+client_id="{{domain}}"
+#redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
+redirect_url="https://{{domain}}/oauth2/callback"
+
+# in this case oauth2-proxy is going to visit
+oidc_issuer_url="https://{{domain_keycloak}}/realms/{{primary_domain}}"
+provider="oidc"
+provider_display_name="Keycloak"
--- a/roles/docker-openproject/tasks/main.yml
+++ b/roles/docker-openproject/tasks/main.yml
@ -8,6 +8,12 @@
 - name: "include tasks update-repository-with-docker-compose.yml"
  include_tasks: update-repository-with-docker-compose.yml

+- name: "Transfering oauth2-proxy-keycloak.cfg.j2 to {{docker_compose_instance_directory}}"
+  template:
+    src: roles/docker-oauth2-proxy/templates/oauth2-proxy-keycloak.cfg.j2
+    dest: "{{docker_compose_instance_directory}}oauth2-proxy-keycloak.cfg"
+  notify:
+    - docker compose project setup

 - name: "Transfering Gemfile.plugins to {{docker_compose_instance_directory}}"
  copy:
--- a/roles/docker-openproject/templates/docker-compose.yml.j2
+++ b/roles/docker-openproject/templates/docker-compose.yml.j2
@ -22,7 +22,7 @@ services:

 {% include 'templates/docker/services/' + database_type + '.yml.j2' %}

-{% include 'templates/docker/services/oauth2-proxy.yml.j2' %}
+{% include 'roles/docker-oauth2-proxy/templates/container.yml.j2' %}

  cache:
    image: memcached
--- a/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
+++ b/roles/nginx-docker-reverse-proxy/templates/domain.conf.j2
@ -2,9 +2,16 @@ server
 {
  server_name {{domain}};

-  # Include OAuth2 Proxy
  {% if oauth2_proxy_active | bool %}
-  # OAuth2-Proxy-Endpunkte
+  # Include OAuth2 Proxy
+  # Raise the maximal header size.
+  # Keycloak uses huge headers for authentification 
+  proxy_buffer_size 16k;
+  proxy_buffers 8 16k;
+  proxy_busy_buffers_size 16k;
+  large_client_header_buffers 4 16k;
+
+  # OAuth2-Proxy-Endpoint
  location /oauth2/ {
      proxy_pass http://127.0.0.1:{{oauth2_proxy_port}};
      proxy_set_header Host $host;
@ -14,13 +21,13 @@ server
  }
  {% endif %}

-  # Include Matomo Tracking Code
  {% if nginx_matomo_tracking | bool %}
+    # Include Matomo Tracking Code
    {% include 'roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2' %}
  {% endif %}

-  # Additional Domain Specific Configuration
  {% if nginx_docker_reverse_proxy_extra_configuration is defined %}
+    # Additional Domain Specific Configuration
    {{nginx_docker_reverse_proxy_extra_configuration}}
  {% endif %}

--- a/templates/docker/services/oauth2-proxy.yml.j2
+++ b/templates/docker/services/oauth2-proxy.yml.j2
@ -1,15 +0,0 @@
-  oauth2-proxy:
-    image: quay.io/oauth2-proxy/oauth2-proxy:{{oauth2_version}}
-    restart: {{docker_restart_policy}}
-    environment:
-      OAUTH2_PROXY_PROVIDER:      "keycloak"                        # The OAuth2 provider, in this case, Keycloak. Change based on your provider (e.g., Google, GitHub).
-      OAUTH2_PROXY_OIDC_ISSUER_URL: "https://auth.veen.world/auth/realms/veen.world"
-      OAUTH2_PROXY_CLIENT_ID:     "{{domain}}"                      # The client ID configured in Keycloak for the application.
-      OAUTH2_PROXY_CLIENT_SECRET: "{{oauth2_proxy_client_secret}}"  # The client secret configured in Keycloak for the application.
-      OAUTH2_PROXY_COOKIE_SECRET: "{{oauth2_proxy_cookie_secret}}"  # A random 32-character string used to sign cookies for session management. Generate with `openssl rand -base64 32`.
-      #OAUTH2_PROXY_EMAIL_DOMAINS: "{{primary_domain}}"              # The allowed email domain(s) for authentication. Example: "example.com".
-      OAUTH2_PROXY_REDIRECT_URL:  "{{oauth2_proxy_redirect_url}}"   # The redirect URL for the OAuth2 flow. It should match the redirect URL configured in Keycloak.
-      OAUTH2_PROXY_UPSTREAMS:     "http://127.0.0.1:{{http_port}}"  # The internal upstream service (your application) that OAuth2-Proxy protects.
-    ports:
-      - "127.0.0.1:{{oauth2_proxy_port}}:4180"
-{% include 'templates/docker/container/networks.yml.j2' %}